Clayton Rule Documentation
Learn everything about our rules, and how to leverage them drive absolute quality in your development team.
Common Weakness Enumeration mapping
Use native ZIP functions over Zippex
Hardcoded secret
Passwords set programmatically
Avoid Using HTTP Referer Headers
Flow Access Restriction
Email spamming risk
Insecure sharing to external users
Server-side Payload Injection
User Registration Without Limits
LWC Clickjacking on CSS
Import of sensitive fields in Lightning Web Components (LWC)
Direct DOM manipulation in Lightning Web Components (LWC)
Sensitive information storage
Sensitive information logging
Excessive data access permissions
Subresource integrity
Content Security Policy (CSP)
Insecure endpoints
Named credentials
Randomization of cryptographic keys
Use of Session storage and Local storage
Use of Session ID in Visualforce
Multiple automation on the same object
Multiple record-triggered flows on the same object
Call to blocklisted method
Missing fault path in Flows
Identify methods with global visibility
Asynchronous methods in loops
Boundaries on SOQL statements
Bulkification of triggers
Business logic in triggers
Metadata API recency
Multiple triggers per object
Number of arguments per method
Number of methods per class
Send email in loops
Inefficient Calls to Schema.getGlobalDescribe
Use of spaces in attribute class selectors
Non-selective SOQL queries on large objects
Database changes in Flow loop paths
Direct access utility class
Data manipulation utility class
CRUD and Field-Level Security
Data access in loops
Data manipulation in constructors
Exception handling
Sharing
Transaction control
Flows without description
Description on custom objects
Description on custom fields
Hardcoded ID (flows)
Hardcoded IDs in configuration
Naming conventions on sObjects
Naming conventions for Apex variables
Optimized loading of resources
Unnecessary code detection
Untested Lightning Web Components
Assertions with comments
Minimum number of assertion
Clayton rules - Test data isolation
Clayton Rules - Untested methods
Clayton Rules - Use of @IsTest annotation
Clayton rules - Use of test data factories
Clayton Rules - Salesforce1 compatibility in Visualforce
Clayton Rules - User friendly messages in Visualforce
Clayton Rules - Visualforce view state optimizatio
Clayton Rules - No autocompletion on password field
Clayton Rules - No insecure cookies
Clayton Rules - Arbitrary Page Redirect
Clayton Rules - Cross-Site Scripting (XSS)
Clayton Rules - Cross-Site Request Forgery (CSRF)
Clayton Rules - Insecure Direct Object References
Clayton Rules - Inactive flows and processes
Clayton Rules - Inactive validation rules
Clayton Rules - Objects with an excessive number of custom fields
Clayton Rules - High complex flows and processes
Clayton Rules - High complex Apex methods
Clayton Rules - High complex Apex files
Clayton Rules - Use of outdated API version for ICU locale
Clayton Rules - Naming conventions on sObjects fields
Clayton Rules -Naming conventions on Apex inner classes
Inactive Workflow Rules
Inactive Workflows
Hardcoded IDs in code
Clayton Rules - Naming conventions on Aura Controller Property
Clayton rules - Identify test coverage cheats
Naming conventions on Apex methods
Clayton Rules - Unsafe JavaScript
Clayton Rules - Naming conventions on Apex triggers
Clayton Rules - Inline JavaScript
Clayton Rules - Retirement of AccountInsights and OpportunityInsights Settings
Retirement of Streaming API versions
Deprecated methods in URL Class
Deprecated SiteSetting
Changed behaviour on Type.forName
Retirement of Salesforce Functions
Clayton Rules - JsonAccess Annotation